Hi, We had our SQL database hacked on 12/1/2011. Many tables were overwritten with URL's pointing to porn sites. Anybody else experience this? Support has indicated the likelyhood was SQL Injection. We use old 3rd party applications that cannot be upgraded so we cannot pursue this investigation with the vendor. However we have the log files from the time and did not see anything unusual. But we are not very experienced in trying to resolve this type of problem. We would appreciate any thoughts on what to look for in the logs or any other ideas. Thanks.
If it's a SQL Injection, it's highly likely you can check it in the HTTPLogs. You will be able to find specific key words, like updates,selects, or deletes. Try downloading the HTTP Log for the day you were hacked, and you should be able to find these, and you can begin to patch what problems the application has.
Checked Logs I did download and checked te logs earlier and didn't see anything suspicious. I looked at them again for your keywords. Nothing. For the amount of data inserted (14MB) there is really no variance in the amount of log traffic from any other days. I appreciate any other suggestions. Thanks.
The other possibility, though much less likely, is that someone used valid login credentials to alter your database. They would get those through use of a keylogger on your development computer(s). I'm sure support sent you some links to virus detectors, etc. But most db compromises are SQL injection, and if you don't plug the hole, so to speak, they will probably be back to do it again. If the vendor isn't an option and you aren't up to digging into the code yourself, you'll have to hire a developer to take care of it for you.
